by Wade Williamson on November 05, 2013
As part of my job, I spend a good deal of my waking hours thinking about information security and sharing my findings with IT security practitioners. What are the latest techniques we see from attackers, and what sorts of techniques or policies work best to mitigate them? And as attacks have become more sophisticated, it has also become increasingly clear that security technologies and solutions absolutely must benefit from one another and work together as a platform. In isolation, any single technology is no match for sophisticated attackers.
Network traffic must be fully inspected and decoded to ensure visibility into what it carries. A variety of technologies are needed to scan traffic for threats. Behavioral analysis and anomaly detection are critical for proactively exposing new threats and driving new protections. Beyond the network, security must extend to end-user devices and the data itself, and all of these things need to work together. For many of you reading, this is hardly news. Enterprise security teams face the challenge of integrating security measures on a daily basis.
The situation couldn’t be more different on the consumer side of the world. Consumerization has obviously had massive impacts on IT ranging from always connected smartphones and tablets, social media applications that have changed how information is shared, or the progressive move toward all things cloud. Despite these gains in consumer IT technology, there has been almost no progress in terms of threat prevention for consumers. Sure, modern operating systems and browsers have become less vulnerable to attacks (although attacks still happen), and applications have moved to automated updates to ensure most users are protected by the latest fixes. But these efforts are mostly limited to minimizing vulnerabilities. When it comes to actually detecting and blocking badness, consumers are limited to running the same host-based antivirus software solutions they have had for the past 10 years.
This is not to say that desktop antivirus is bad, but simply that on its own it is woefully insufficient against modern advanced threats. No self-respecting IT admin would look at today’s threat landscape of advanced persistent threats and conclude, “We are going to put AV on our desktops and call them secured.” It just isn’t sufficient. It lacks the entire concept of an independent network security layer, and doesn’t incorporate many of the most important advancements in security such as next-generation firewalling, malware behavioral analysis and sandboxing. Furthermore, it simply lacks any respectable level of defense-in-depth.
This level of security is above the understanding of most end-users, whose interest in security typically begins with online shopping and ends with online banking. However, it should be very concerning to IT teams. Simply put, the majority of new devices that end-users are bringing into the enterprise have very little in the way of real security. Additionally, most enterprise efforts targeting these devices use some form of mobile device management (MDM). These solutions focus on creating separate containers that segment corporate data from the end-user’s personal data on the device. This is certainly important, but it’s not really the same thing as security. If an attacker compromises an end-users’ device, punching through containers is relatively easy. A compromised device can still be an easy avenue for an attacker to steal passwords and gain access to the corporate network.
In fact, mobile devices will likely become an increasingly popular target for advanced attackers. They can interact with the corporate network over WiFi, but can also route traffic over cellular networks. Compromised mobile devices can easily record audio, video, and eavesdrop on phone calls. Most mobile devices include GPS, which can enable an attacker to even more selectively target his surveillance. In fact, in comparison to a hacked laptop, a hacked smart device can give cybercriminals many more opportunities to compromise a corporate network. Combine this with the fact that these devices are likely the least secured devices, and you are looking at the most vulnerable attack surface in the network.
Ultimately this is why we need to apply the full force of enterprise security to mobile devices. The challenges of mobility go beyond simply how to manage BYOD. It extends to all of security. If you are going to analyze network traffic for hidden malware or look for anomalous behaviors that indicate an infection, you should be sure to include mobile devices and mobile malware in your efforts. Consistency is one of the hallmarks of good security, and this will certainly apply to mobility. Enterprises that don’t take mobility into consideration when building their security policies do so at their own peril.